system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-11-05 18:23:50 +00:00
Code Issues Projects Releases Packages Wiki Activity
linux/net
History
NeilBrown ed2849d3ec sunrpc: prevent use-after-free on clearing XPT_BUSY 
When an xprt is created, it has a refcount of 1, and XPT_BUSY is set.
The refcount is *not* owned by the thread that created the xprt
(as is clear from the fact that creators never put the reference).
Rather, it is owned by the absence of XPT_DEAD.  Once XPT_DEAD is set,
(And XPT_BUSY is clear) that initial reference is dropped and the xprt
can be freed.

So when a creator clears XPT_BUSY it is dropping its only reference and
so must not touch the xprt again.

However svc_recv, after calling ->xpo_accept (and so getting an XPT_BUSY
reference on a new xprt), calls svc_xprt_recieved.  This clears
XPT_BUSY and then svc_xprt_enqueue - this last without owning a reference.
This is dangerous and has been seen to leave svc_xprt_enqueue working
with an xprt containing garbage.

So we need to hold an extra counted reference over that call to
svc_xprt_received.

For safety, any time we clear XPT_BUSY and then use the xprt again, we
first get a reference, and the put it again afterwards.

Note that svc_close_all does not need this extra protection as there are
no threads running, and the final free can only be called asynchronously
from such a thread.

Signed-off-by: NeilBrown <neilb@suse.de>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2010-12-07 20:39:55 -05:00
..
9p net/9p: Return error on read with NULL buffer 2010-10-28 09:08:49 -05:00
802
8021q
appletalk
atm
ax25 net: ax25: fix information leak to userland 2010-11-10 10:14:33 -08:00
bluetooth Bluetooth: fix not setting security level when creating a rfcomm session 2010-11-09 00:56:10 -02:00
bridge
caif caif: Remove noisy printout when disconnecting caif socket 2010-11-03 18:50:04 -07:00
can can-bcm: fix minor heap overflow 2010-11-12 14:07:14 -08:00
ceph Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-11-29 14:36:33 -08:00
core net: allow GFP_HIGHMEM in __vmalloc() 2010-11-21 10:04:04 -08:00
dcb
dccp dccp: fix error in updating the GAR 2010-11-28 11:29:27 -08:00
decnet DECnet: don't leak uninitialized stack byte 2010-11-28 11:32:30 -08:00
dns_resolver
dsa
econet econet: fix CVE-2010-3848 2010-11-24 11:51:47 -08:00
ethernet
ieee802154
ipv4 inet: Fix __inet_inherit_port() to correctly increment bsockets and num_owners 2010-11-28 18:18:44 -08:00
ipv6 ipv6: fix missing in6_ifa_put in addrconf 2010-11-22 07:37:36 -08:00
ipx
irda Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-11-19 15:25:59 -08:00
iucv
key
l2tp l2tp: kzalloc with swapped params in l2tp_dfs_seq_open 2010-11-01 06:56:02 -07:00
lapb
llc
mac80211 leds: fix up dependencies 2010-12-02 14:51:15 -08:00
netfilter netfilter: fix IP_VS dependencies 2010-11-18 13:14:33 -08:00
netlabel
netlink
netrom
packet net: Fix header size check for GSO case in recvmsg (af_packet) 2010-11-12 11:06:46 -08:00
phonet
rds rds: Integer overflow in RDS cmsg handling 2010-11-17 12:20:52 -08:00
rfkill
rose
rxrpc
sched classifier: report statistics for basic classifier 2010-11-08 12:17:05 -08:00
sctp net: avoid limits overflow 2010-11-10 12:12:00 -08:00
sunrpc sunrpc: prevent use-after-free on clearing XPT_BUSY 2010-12-07 20:39:55 -05:00
tipc net: tipc: fix information leak to userland 2010-11-09 09:25:46 -08:00
unix af_unix: limit recursion level 2010-11-29 09:45:15 -08:00
wanrouter
wimax
wireless cfg80211: fix can_beacon_sec_chan, reenable HT40 2010-11-18 11:35:05 -05:00
x25 x25: Prevent crashing when parsing bad X.25 facilities 2010-11-12 12:44:42 -08:00
xfrm net: allow GFP_HIGHMEM in __vmalloc() 2010-11-21 10:04:04 -08:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
Kconfig
Makefile
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-10-30 18:42:58 -07:00
sysctl_net.c
TUNABLE